OAuth Security Workshop 2017

Summary

OAuth is a critical component of the Internet infrastructure. OAuth enables the user to authorize a third-party application or service to obtain limited access to any service or account owned by the user. The security of the OAuth protocol is therefore paramount as otherwise large-scale loss, theft, or corruption of user data can be the result. To this end we want to bring together experts from industry and the research community with the goal of improving the assurances provided by OAuth and increasing its quality.

This meeting is organized by the IETF OAuth Working Group (WG) which is convinced that the wider Internet security community can help to improve the security of Internet protocols. In an attempt to reach out to all manners of security experts, from research, industry, and standardization bodies, the WG will hold this workshop on OAuth security during the week before the summer IETF meeting, namely on July 13th and 14th 2017 in Zürich/Switzerland, hosted by the Zurich Information Security and Privacy Center of ETH Zurich.

 

Event Details

When: July 13&14, 2017
Where: ETH Zürich, Alumni Pavillon, Rämistrasse 101, 8092 Zürich

eth1

eth2

eth3

Please note that due to construction work at the tram stop “Central” it may take you longer to get to the Alumni Pavillon than route planners will suggest, particularly if you are arriving from the main train station (Zurich HB). The funicular “Polybahn” is your easiest way up the hill, but will be very busy.

Registration

For the general public: https://zisc.ethz.ch/event/oauth-security-workshop-2017/

For ZISC affiliates: https://zisc.ethz.ch/event/oauth-security-workshop-2017-internal/

 

Schedule

Thursday

[table class=”table table-striped” th=”0″]
08:30-09:00, Registration and coffee [attr colspan=”2″]
09:00-09:15, Torsten Lodderstedt\, YES Europe, Opening Remarks
09:15-10:15, David Basin\, ETH Zurich, Security Protocols at ETHZ slides
10:15-10:30, break [attr colspan=”2″]
10:30-11:30, Cas Cremers\, University of Oxford, Automated analysis and the subtleties of authentication: Adventures in TLS 1.3 (Invited Talk) slides

11:30-11:45, break [attr colspan=”2″]
11:45-12:30, Michael Jones\, Microsoft, OAuth Token Binding: Status and Next Steps slides
12:30-13:15, Denis Pinkas\, DP Security Consulting, A privacy by design eID scheme supporting Attribute-based Access Control (ABAC) slides-scheme slides-German-eID paper
13:15-14:45, Lunch at Dozentenfoyer (directions) [attr colspan=”2″]
14:45-15:30, Naveen Agarwal\, Breno de Medeiros\, Google, OAuth & Phishing – Experiences @ Google slides
15:30-16:15, Torsten Lodderstedt\, John Bradley, OAuth security slides
16:15-16:45, break [attr colspan=”2″]
16:45-17:30, Sven Hammann\, ETHZ, Proposing a new Private Mode for Open ID Connect slides
18:00, Dinner at The Alehouse – Palmhof (location) [attr colspan=”2″]
[/table]

Friday

[table class=”table table-striped” th=”0″]
08:30-09:00, Coffee [attr colspan=”2″]
09:00-09:45, Daniel Fett\, Ralf Kuesters\, and Guido Schmitz\, Universität Stuttgart, The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines slides

09:45-10:30, Nat Sakimura\, Nomura Research Institute, Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the application of BCM Principles slides paper
10:30-10:45, break [attr colspan=”2″]
10:45-11:30, Hannes Tschofenig\, ARM, Lessons learned from security protocol design: Meaningful content for security consideration sections of technical specifications slides
11:30-11:45, break [attr colspan=”2″]
11:45-12:30, William Denniss (presented by John Bradley)\, Google, Improving Native App OAuth Security with External User Agents slides
12:30-13:15, Go Yamamoto\, Richard Boyer\, Kenji Takahashi\, and Nat Sakimura\, Nomura Research Institute, Asserting Access Tokens from the Transport Layer slides
13:15-14:45, Lunch at Dozentenfoyer (directions) [attr colspan=”2″]
14:45-15:30, Jacob Ideskog\, Curity, Simplified Integration of OAuth into JavaScript Applications slides
15:30-16:00, break [attr colspan=”2″]
16:00-16:45, Antonio Sanso\, Adobe, Invalid curve attack in JWE ECDH-ES slides

16:45-17:30, General Discussion [attr colspan=”2″]

[/table]

Program Committee

Chairs

  • David Basin (ETH Zurich)
  • Torsten Lodderstedt (YES Europe)

Members

  • John Bradley (Ping Identity)
  • Ralf Küsters (University of Stuttgart)
  • Chris Mitchell (Royal Holloway University of London)
  • Anthony Nadalin (Microsoft)
  • Nat Sakimura (Nomura Research Institute)
  • Ralf Sasse (ETH Zurich)
  • Jörg Schwenk (Ruhr University Bochum)
  • Hannes Tschofenig (IETF OAuth Working Group Co-Chair)

Organizing Committee

  • David Basin (ETH Zurich)
  • Torsten Lodderstedt (YES Europe)
  • Ralf Sasse (ETH Zurich)

Administration

  • Barbara Pfändner (ETH Zurich)

 

Invited Speaker

  • Cas Cremers, University of Oxford

 

Hotels

These hotels are within walking distance of the venue, but there are plenty more hotels in the Zurich area.

 

Important Dates

  • Position paper submission deadline: May 2, 2017 extended to May 9, 2017 (AoE, UTC-12).
  • Author notification: May 15 delayed to May 22, 2017.
  • Registration deadline: June 16, 2017.
  • Workshop: July 13 and July 14, 2017.

Call for Position Papers

Contact

For further questions please contact the organizing committee at ralf.sasse@inf.ethz.ch